[strongSwan] NAT-T, SNAT/DNAT and TCP checksum incorrect on peer VPN gateway (site-to-site)

Narendra Joshi narendraj9 at gmail.com
Tue Apr 21 20:38:40 CEST 2020


I have setup an IPSec gateway on a virtual instance in a VPC using 
a cloud provider. The cloud provider has Elastic IPs that aren't 
attached to any network interface on the virtual instance so 
strongSwan uses NAT-T. Also I need to do SNAT/DNAT for mapping my 
side of the subnet that is advertised to my VPN peer.

I have found that this setup causes very frequent TCP checksum 
failures. There are so frequent that an HTTP request fails ~50% of 
the time because TCP connect times out.  It would be great if 
anyone who has faced something similar before can help me 
understand what is happening and how it can be avoided.

Here is an image of the setup I have: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: site-to-site-nat-t-snat-dnat.png
Type: image/png
Size: 44175 bytes
Desc: VPN Network Topology
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200421/e13758c9/attachment-0001.png>
-------------- next part --------------

Best regards,
Narendra Joshi

More information about the Users mailing list